Professional Documents
Culture Documents
Qradar Siem 7.2 Windows Event Collection Overview: Panelists
Qradar Siem 7.2 Windows Event Collection Overview: Panelists
Qradar Siem 7.2 Windows Event Collection Overview: Panelists
Panelists
• Aaron Breen – QRadar World-wide Support Leader
• Adam Frank – Principal Solutions Architect
• Jonathan Pechta – Support Technical Writer
• Jeff Rusk – Team Lead, QRadar Integration Services and Maintenance
• Colin Hay – Team Lead, QRadar Integration Services and Maintenance
• Andrew Merrithew – QRadar Integration Team Developer
• Luke Dewitt – QRadar Support Technical Lead
• Mark Wright – QRadar L2 Support Manager
USA: 866-803-2145
Canada: 866-845-8496
Participant passcode: 9348947
Slides and additional dial in numbers: https://ibm.biz/BdFYFa
©
1 2014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
Microsoft Windows Security Event Log (WMI) Event Collector (EC) (16xx)
Event collection
Console
Configuration polling port 8413
Event collection
ETHx
Syslog events
port 514
Event Collector
WinCollect agent
(EC) (16xx)
• Supports more remote Windows sources than the Adaptive Log Exporter.
Drawbacks
• The Adaptive Log Exporter is the predecessor to WinCollect and will eventually
be phased out.
• A single Adaptive Log Exporter can only poll up to 20 other hosts for their events.
• Changes must be completed on the remote Windows host.
• Does not support bulk adding of log sources.
System requirements
WinCollect and the Adaptive Log Exporter have high requirements because
we are unsure of the environment where the agent will be install. The
specifications are set in order to ensure performance regardless of the
number of events that need to be processed.
What is the
Custom Event
Magistrate
Properties
component?
& Security Content Packs
WinCollect
What is the Event Filtering:
Magistrate XPath vs Exclusion Filters
component?
Exclusion filter
10 © 2014 IBM Corporation
IBM Security Systems
Support tools
• WinCollect Ping
This tool verifies the existence of a PEM certificate file and attempts to
contact the Configuration Server as specified in the agent configuration.
Q4 - Kyle: What is the best solution for bulk disabling automatic updates
when the WinCollect deployment contains thousands of agents?
Q11: I want to have managed WinCollect agents, but I cannot use a standard
port, such as 8413. Can I change the port number?
13 © 2014 IBM Corporation
IBM Security Systems
Q17: What is the recommended time zone setting for WinCollect Servers in a
global deployment?
14 © 2014 IBM Corporation
IBM Security Systems
Note: The next QRadar open mic is scheduled for September 30th, 2014.
The topic is undecided at the moment, but mark your calendars!
15 © 2014 IBM Corporation
IBM Security Systems
WinCollect uses more resources than ALE, however, it has more features than
ALE and processes more events and handles more connections. We talked about
system requirements earlier in the presentation and made mention that 8GB and
the system resources are not necessarily required for low event rate systems. If
the agent is installed as one agent to one operating system and forwarding local
events, then 8GB RAM and 20% of the CPU would not be required as most
endpoints (user workstations, not servers or domain controllers) generate less
17 than 10 EPS on average. © 2014 IBM Corporation
IBM Security Systems
Automatic Log Source Creation WinCollect 7.2.0 or above QRadar version 7.2.1 Patch 1
Agent configurations through managed hosts WinCollect 7.2.0 or above QRadar version 7.2.1 Patch 3
To use this feature, the admin can specify the IP address of the 16xx or 18xx appliance
in the “Configuration Console Address” field.
Yes, there is an open feature request (FR) to have WinCollect agents purge the
WinCollect logs in C:\Program Files\IBM\WinCollect\logs. This feature will be
available in a future WinCollect Agent version.
Note: The on-air answer was interpreted as not only cleaning up old logs, but
to also make error messages easier to understand when issues occur. Our
development team has been making improvements to how errors are logged in
WinCollect. We plan to continue to improve features and we are evaluating
ideas for adding QIDs and system notifications for error messages from
WinCollect agents to help administrators identify specific agent issues.
Question 4
Note: This slide was added as an answer to this question.
What improvements have been made to remote polling
as WinCollect has progressed?
For example, let’s compare the documented EPS rates from WinCollect version 7.1,
7.2.0, and 7.2.1.
Resources:
• Article 1678809: Configuring DCOM and WMI to Remotely Retrieve Windows 7 Events
(http://bit.ly/IBMqr1678809)
• Article 1666403: WinCollect troubleshooting: The RPC server is unavailable. Error code
0x06BA (http://bit.ly/IBMqr1666403)
• Useful links 1616144: Getting Support for IBM Security QRadar products
(http://bit.ly/U7c4B6)
Follow us:
IBM Support Portal | Open a Service Request | Update your PMR | Escalate your PMR
23 © 2014 IBM Corporation
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to
IBM Security Systems
improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can
result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no
single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a
comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or
services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL
CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only,
and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or
otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or
representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of
IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM
operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market
opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other
IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other
company, product, or service names may be trademarks or service marks of others.
24 © 2014 IBM Corporation